Description
Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin allows untrusted data to be deserialized using PHP serialization, creating a PHP Object Injection flaw. This weakness can be abused to execute arbitrary code or alter application state, resulting in full compromise of the affected WordPress site.

Affected Systems

The vulnerability exists in CRM Perks Connector for Gravity Forms and Google Sheets, affecting all releases up through version 1.2.6 of the plugin.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of severity. EPSS is reported as < 1 %, suggesting that widespread exploitation has not yet occurred, but the low probability does not mitigate the high impact potential. The plugin does not appear on the CISA KEV list. Based on the description, the likely attack vector is remote exploitation via a crafted HTTP request that triggers the vulnerable deserialization routine. An attacker who can influence the serialized payload can gain full control over the WordPress environment.

Generated by OpenCVE AI on April 29, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Connector for Gravity Forms and Google Sheets to a version newer than 1.2.6, which removes the vulnerable deserialization code.
  • If an immediate upgrade is not possible, deactivate or uninstall the plugin to eliminate the attack surface.
  • Apply strict input validation to any data routed through the plugin’s interfaces, ensuring that no serialized PHP objects are accepted, in line with best practices for CWE‑502 mitigation.

Generated by OpenCVE AI on April 29, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 23 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.
Title WordPress Connector for Gravity Forms and Google Sheets plugin <= 1.2.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:40:56.831Z

Reserved: 2025-09-25T15:34:23.205Z

Link: CVE-2025-60209

cve-icon Vulnrichment

Updated: 2025-10-22T20:29:17.986Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:57.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:15:14Z

Weaknesses